Sometimes DTLS cannot be negotiated

rtpengine version the issue has been seen with

11.5.1.9+0~mr11.5.1.9+omnivigil1

Used distribution and its version

Ubuntu 22.04.3 LTS

Linux kernel version used

5.15.0-1052-oracle

CPU architecture issue was seen on (see `uname -m`)

x86_64

Expected behaviour you didn't see

Hi, we have Kamailio WebRTC gateway and RTPEngine, which works good with JsSIP client on all PCs. We are experiencing issues with mobile devices on different browsers (Chrome, Edge, Firefox). Periodically no audio while making the call from WebRTC to another device. One call may work, another will not. Any configuration, public IP, networking is not changing at this moment.

Unexpected behaviour you saw

During such call from WebRTC to SIP device via Kamailio Proxy in logs I see the following errors.

Feb 27 10:56:45 webrtc-kama-01 rtpengine[439526]: ERR: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [srtp] SRTP output wanted, but no crypto suite was negotiated
Feb 27 10:56:49 webrtc-kama-01 rtpengine[439526]: INFO: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [core] Confirmed peer address as 10.24.6.121:19594
Feb 27 10:56:49 webrtc-kama-01 rtpengine[439526]: INFO: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [core] Kernelizing media stream: 10.24.6.121:19594 -> 10.0.244.5:19706 | 10.0.244.5:11439 -> 46.211.225.182:51438
Feb 27 10:56:49 webrtc-kama-01 rtpengine[439526]: WARNING: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [core] No support for kernel packet forwarding available (encryption cipher or HMAC not supported by kernel module)
Feb 27 10:56:49 webrtc-kama-01 rtpengine[439526]: INFO: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [core] Kernelizing media stream: 10.24.6.121:19594 -> 10.0.244.5:19706 | 10.0.244.5:11439 -> 46.211.225.182:51438
Feb 27 10:56:49 webrtc-kama-01 rtpengine[439526]: WARNING: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [core] No support for kernel packet forwarding available (encryption cipher or HMAC not supported by kernel module)
Feb 27 10:56:49 webrtc-kama-01 rtpengine[439526]: NOTICE: [vd08qcefs6gpmh9ptjbi/as29f890ac/1 port 19706]: [core] Setting 'non-forwarding' flag for kernel stream due to lack of sinks

46.211.225.182 - is mobile device (4G network) 10.0.244.5 - Kamailio and RTPEngine internal IP 10.24.6.121 - is another SIP device at internal subnet

Attached also debug log vd08qcefs6gpmh9ptjbi.log

Steps to reproduce the problem

In RTPEngine debug, it should be clear which Kamilio configuration we use, but adding also here some configs for initial SDP (wss->sip) and reply (sip->wss)

                if ($proto =~ "ws") { 
                        # webrtc to sip
                        $xavp(r=>$T_branch_idx) = $xavp(r=>$T_branch_idx) + " rtcp-mux-demux DTLS=disable SDES-off ICE=remove RTP/AVP";
                } else {
                        # sip to webrtc 
                        $xavp(r=>$T_branch_idx) = $xavp(r=>$T_branch_idx) + " rtcp-mux-offer generate-mid DTLS=passive SDES-off ICE=force UDP/TLS/RTP/SAVPF";
                }

Additional program output to the terminal or logs illustrating the issue

No response

Anything else?

No response

JsSIP trace from mobile device (Edge browser)

JsSIP:Transport sending message:
INVITE sip:800@somedomain.com SIP/2.0
Via: SIP/2.0/WSS b9solt38g45q.invalid;branch=z9hG4bK923038
Max-Forwards: 69
To: <sip:800@somedomain.com>
From: <sip:a4e7ac40-e156-480b-b363-b428fcdaa4e1@somedomain.com>;tag=kfe7dn2qnl
Call-ID: vd08qcefs6gpmh9ptjbi
CSeq: 2335 INVITE
X-VS-AccessToken: eyJ0eXAiOiJKV1QiLnB2BZ5W8IgSiGEhkAIBPwD_f9SjA
Contact: <sip:a4e7ac40-e156-480b-b363-b428fcdaa4e1@somedomain.com;gr=urn:uuid:c6041f57-8a6b-43fe-9d86-c7fbef482147>
Content-Type: application/sdp
Session-Expires: 90
Allow: INVITE,ACK,CANCEL,BYE,UPDATE,MESSAGE,OPTIONS,REFER,INFO,NOTIFY
Supported: timer,gruu,ice,replaces,outbound
User-Agent: JsSIP 3.10.0
Content-Length: 2065

v=0
o=- 3737611836656655387 2 IN IP4 127.0.0.1
s=-
t=0 0
a=group:BUNDLE 0
a=extmap-allow-mixed
a=msid-semantic: WMS 003e4740-985a-4268-841e-340b70c1e079
m=audio 51438 UDP/TLS/RTP/SAVPF 111 63 9 0 8 13 110 126
c=IN IP4 46.211.225.182
a=rtcp:51449 IN IP4 46.211.225.182
a=candidate:3856157396 1 udp 2122260223 10.58.23.169 58830 typ host generation 0 network-id 1 network-cost 900
a=candidate:3856157396 2 udp 2122260222 10.58.23.169 36119 typ host generation 0 network-id 1 network-cost 900
a=candidate:1054567061 1 udp 1686052607 46.211.225.182 51438 typ srflx raddr 10.58.23.169 rport 58830 generation 0 network-id 1 network-cost 900
a=candidate:1054567061 2 udp 1686052606 46.211.225.182 51449 typ srflx raddr 10.58.23.169 rport 36119 generation 0 network-id 1 network-cost 900
a=candidate:2602018892 1 tcp 1518280447 10.58.23.169 9 typ host tcptype active generation 0 network-id 1 network-cost 900
a=candidate:2602018892 2 tcp 1518280446 10.58.23.169 9 typ host tcptype active generation 0 network-id 1 network-cost 900
a=ice-ufrag:GP9L
a=ice-pwd:7lce4emCOxBumOfOX00iL2pT
a=ice-options:trickle
a=fingerprint:sha-256 16:89:93:6A:0C:B7:DE:7D:25:53:CB:68:61:DC:E6:A1:AE:53:94:95:20:A8:3A:01:98:CD:B3:71:75:F2:17:F5
a=setup:actpass
a=mid:0
a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=extmap:2 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
a=extmap:3 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
a=extmap:4 urn:ietf:params:rtp-hdrext:sdes:mid
a=sendrecv
a=msid:003e4740-985a-4268-841e-340b70c1e079 324bd461-80ac-41b8-a0cd-a691db41afea
a=rtcp-mux
a=rtpmap:111 opus/48000/2
a=rtcp-fb:111 transport-cc
a=fmtp:111 minptime=10;useinbandfec=1
a=rtpmap:63 red/48000/2
a=fmtp:63 111/111
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:13 CN/8000
a=rtpmap:110 telephone-event/48000
a=rtpmap:126 telephone-event/8000
a=ssrc:1162691968 cname:2hNFJPQ2Swi6VJ5O
a=ssrc:1162691968 msid:003e4740-985a-4268-841e-340b70c1e079 324bd461-80ac-41b8-a0cd-a691db41afea

JsSIP:Transport received text message:
SIP/2.0 100 trying -- your call is important to us
Via: SIP/2.0/WSS b9solt38g45q.invalid;branch=z9hG4bK923038;rport=51442;received=46.211.225.182
To: <sip:800@somedomain.com>
From: <sip:a4e7ac40-e156-480b-b363-b428fcdaa4e1@somedomain.com>;tag=kfe7dn2qnl
Call-ID: vd08qcefs6gpmh9ptjbi
CSeq: 2335 INVITE
Server: SBC WebRTC
Content-Length: 0

JsSIP:Transport received text message:
SIP/2.0 200 OK
From: <sip:a4e7ac40-e156-480b-b363-b428fcdaa4e1@somedomain.com>;tag=kfe7dn2qnl
To: <sip:800@somedomain.com>;tag=as29f890ac
Call-ID: vd08qcefs6gpmh9ptjbi
CSeq: 2335 INVITE
Server: FPBX-15.0.16.46-p15(16.25.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Session-Expires: 90;refresher=uas
Content-Type: application/sdp
Require: timer
Content-Length: 663
Via: SIP/2.0/WSS b9solt38g45q.invalid;rport=51442;received=46.211.225.182;branch=z9hG4bK923038
Contact: <sip:atpsh-65ddaa75-695a2-81@somedomain.com:7777;transport=ws>

v=0
o=root 410528676 410528676 IN IP4 33.33.33.33
s=Asterisk PBX 16.25.1
c=IN IP4 33.33.33.33
t=0 0
m=audio 11439 UDP/TLS/RTP/SAVPF 8 0 126
a=maxptime:150
a=mid:0
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:126 telephone-event/8000
a=sendrecv
a=rtcp:11439
a=rtcp-mux
a=setup:passive
a=fingerprint:sha-256 86:BC:45:A6:E0:A8:9F:F3:4F:2D:27:18:CC:AE:84:1D:5D:38:5E:34:96:45:97:00:31:7A:45:27:37:6E:AE:13
a=tls-id:43d0d5e3008266ebfa6a24617f27531d
a=ptime:20
a=ice-ufrag:9sFGoC2A
a=ice-pwd:DmJPMbf6wIyoTxleJpM3AHPAqv
a=ice-options:trickle
a=candidate:9MBRVoJU8lu6nqth 1 UDP 2130706431 33.33.33.33 11439 typ host
a=end-of-candidates

JsSIP:Transport sending message:
ACK sip:atpsh-65ddaa75-695a2-81@somedomain.com:7777;transport=ws SIP/2.0
Via: SIP/2.0/WSS b9solt38g45q.invalid;branch=z9hG4bK4285953
Max-Forwards: 69
To: <sip:800@somedomain.com>;tag=as29f890ac
From: <sip:a4e7ac40-e156-480b-b363-b428fcdaa4e1@somedomain.com>;tag=kfe7dn2qnl
Call-ID: vd08qcefs6gpmh9ptjbi
CSeq: 2335 ACK
Allow: INVITE,ACK,CANCEL,BYE,UPDATE,MESSAGE,OPTIONS,REFER,INFO,NOTIFY
Supported: outbound
User-Agent: JsSIP 3.10.0
Content-Length: 0

sipwise / rtpengine